source="s3://cgsumbrella/*" Action=Allowed
Destination!=192.168.9.20.
Destination!=*in-addr.arpa*
Destination!=*fp.measure.office.com*
Destination!=*sprint.com*
Destination!=*drift.com*
Destination!=*aoltw.net*
Destination!=*yahoo.com*
Destination!=*easyhost.com*
Destination!=*aol.com*
Destination!=*igodigital.com*
Destination!=*doubleclick.net*
Destination!=*cpesmsp.apsx*
Destination!=*microsoft.com*
| eval Office=if(len(Office) > 2, Office, "_INTERNET")
| lookup officeip.csv IP as "ExternalIP" output Office
| eval temp=split(Destination,".") | stats count as total by Office InternalIP ExternalIP Destination temp | where (temp!="" and temp!="com" and temp!="net") | stats count as abnormal by Office InternalIP ExternalIP temp | sort -count | where count>1
| append[ search source="s3://cgsumbrella/*" Action=Allowed
Destination!=192.168.9.20.
Destination!=*in-addr.arpa*
Destination!=*fp.measure.office.com*
Destination!=*sprint.com*
Destination!=*drift.com*
Destination!=*aoltw.net*
Destination!=*yahoo.com*
Destination!=*easyhost.com*
Destination!=*aol.com*
Destination!=*igodigital.com*
Destination!=*doubleclick.net*
Destination!=*cpesmsp.apsx*
Destination!=*microsoft.com*
| eval Office=if(len(Office) > 2, Office, "_INTERNET")
| lookup officeip.csv IP as "ExternalIP" output Office
| eval temp=split(Destination,"-") | stats count as total by Office InternalIP ExternalIP Destination temp | where (temp!="" and temp!="com" and temp!="net") | stats count as abnormal by Office InternalIP ExternalIP temp | sort -count | where count>1]
| append[ search source="s3://cgsumbrella/*" Action=Allowed
Destination!=192.168.9.20.
Destination!=*in-addr.arpa*
Destination!=*fp.measure.office.com*
Destination!=*sprint.com*
Destination!=*drift.com*
Destination!=*aoltw.net*
Destination!=*yahoo.com*
Destination!=*easyhost.com*
Destination!=*aol.com*
Destination!=*igodigital.com*
Destination!=*doubleclick.net*
Destination!=*cpesmsp.apsx*
Destination!=*microsoft.com*
| eval Office=if(len(Office) > 2, Office, "_INTERNET")
| lookup officeip.csv IP as "ExternalIP" output Office
| eval temp=split(Destination,",") | stats count as total by Office InternalIP ExternalIP Destination temp | where (temp!="" and temp!="com" and temp!="net") | stats count as abnormal by Office InternalIP ExternalIP temp | sort -count | where count>1]
| append[ search source="s3://cgsumbrella/*" Action=Allowed
Destination!=192.168.9.20.
Destination!=*in-addr.arpa*
Destination!=*fp.measure.office.com*
Destination!=*sprint.com*
Destination!=*drift.com*
Destination!=*aoltw.net*
Destination!=*yahoo.com*
Destination!=*easyhost.com*
Destination!=*aol.com*
Destination!=*igodigital.com*
Destination!=*doubleclick.net*
Destination!=*cpesmsp.apsx*
Destination!=*microsoft.com*
| eval Office=if(len(Office) > 2, Office, "_INTERNET")
| lookup officeip.csv IP as "ExternalIP" output Office
| eval temp=split(Destination,"_") | stats count as total by Office InternalIP ExternalIP Destination temp | where (temp!="" and temp!="com" and temp!="net") | stats count as abnormal by Office InternalIP ExternalIP temp | sort -count | where count>1]
| append[ search source="s3://cgsumbrella/*" Action=Allowed
Destination!=192.168.9.20.
Destination!=*in-addr.arpa*
Destination!=*fp.measure.office.com*
Destination!=*sprint.com*
Destination!=*drift.com*
Destination!=*aoltw.net*
Destination!=*yahoo.com*
Destination!=*easyhost.com*
Destination!=*aol.com*
Destination!=*igodigital.com*
Destination!=*doubleclick.net*
Destination!=*cpesmsp.apsx*
Destination!=*microsoft.com*
| eval Office=if(len(Office) > 2, Office, "_INTERNET")
| lookup officeip.csv IP as "ExternalIP" output Office
| eval temp=split(Destination,"$") | stats count as total by Office InternalIP ExternalIP Destination temp | where (temp!="" and temp!="com" and temp!="net") | stats count as abnormal by Office InternalIP ExternalIP temp | sort -count | where count>1]
| append[ search source="s3://cgsumbrella/*" Action=Allowed
Destination!=192.168.9.20.
Destination!=*in-addr.arpa*
Destination!=*fp.measure.office.com*
Destination!=*sprint.com*
Destination!=*drift.com*
Destination!=*aoltw.net*
Destination!=*yahoo.com*
Destination!=*easyhost.com*
Destination!=*aol.com*
Destination!=*igodigital.com*
Destination!=*doubleclick.net*
Destination!=*cpesmsp.apsx*
Destination!=*microsoft.com*
| eval Office=if(len(Office) > 2, Office, "_INTERNET")
| lookup officeip.csv IP as "ExternalIP" output Office
| eval temp=split(Destination,"+") | stats count as total by Office InternalIP ExternalIP Destination temp | where (temp!="" and temp!="com" and temp!="net") | stats count as abnormal by Office InternalIP ExternalIP temp | sort -count | where count>1]
| append[ search source="s3://cgsumbrella/*" Action=Allowed
Destination!=192.168.9.20.
Destination!=*in-addr.arpa*
Destination!=*fp.measure.office.com*
Destination!=*sprint.com*
Destination!=*drift.com*
Destination!=*aoltw.net*
Destination!=*yahoo.com*
Destination!=*easyhost.com*
Destination!=*aol.com*
Destination!=*igodigital.com*
Destination!=*doubleclick.net*
Destination!=*cpesmsp.apsx*
Destination!=*microsoft.com*
| eval Office=if(len(Office) > 2, Office, "_INTERNET")
| lookup officeip.csv IP as "ExternalIP" output Office
| eval temp=split(Destination,"!") | stats count as total by Office InternalIP ExternalIP Destination temp | where (temp!="" and temp!="com" and temp!="net") | stats count as abnormal by Office InternalIP ExternalIP temp | sort -count | where count>1]
| append[ search source="s3://cgsumbrella/*" Action=Allowed
Destination!=192.168.9.20.
Destination!=*in-addr.arpa*
Destination!=*fp.measure.office.com*
Destination!=*sprint.com*
Destination!=*drift.com*
Destination!=*aoltw.net*
Destination!=*yahoo.com*
Destination!=*easyhost.com*
Destination!=*aol.com*
Destination!=*igodigital.com*
Destination!=*doubleclick.net*
Destination!=*cpesmsp.apsx*
Destination!=*microsoft.com*
| eval Office=if(len(Office) > 2, Office, "_INTERNET")
| lookup officeip.csv IP as "ExternalIP" output Office
| eval temp=split(Destination,"*") | stats count as total by Office InternalIP ExternalIP Destination temp | where (temp!="" and temp!="com" and temp!="net") | stats count as abnormal by Office InternalIP ExternalIP temp | sort -count | where count>1]
| append[ search source="s3://cgsumbrella/*" Action=Allowed
Destination!=192.168.9.20.
Destination!=*in-addr.arpa*
Destination!=*fp.measure.office.com*
Destination!=*sprint.com*
Destination!=*drift.com*
Destination!=*aoltw.net*
Destination!=*yahoo.com*
Destination!=*easyhost.com*
Destination!=*aol.com*
Destination!=*igodigital.com*
Destination!=*doubleclick.net*
Destination!=*cpesmsp.apsx*
Destination!=*microsoft.com*
| eval Office=if(len(Office) > 2, Office, "_INTERNET")
| lookup officeip.csv IP as "ExternalIP" output Office
| eval temp=split(Destination,"'") | stats count as total by Office InternalIP ExternalIP Destination temp | where (temp!="" and temp!="com" and temp!="net") | stats count as abnormal by Office InternalIP ExternalIP temp | sort -count | where count>1]
| append[ search source="s3://cgsumbrella/*" Action=Allowed
Destination!=192.168.9.20.
Destination!=*in-addr.arpa*
Destination!=*fp.measure.office.com*
Destination!=*sprint.com*
Destination!=*drift.com*
Destination!=*aoltw.net*
Destination!=*yahoo.com*
Destination!=*easyhost.com*
Destination!=*aol.com*
Destination!=*igodigital.com*
Destination!=*doubleclick.net*
Destination!=*cpesmsp.apsx*
Destination!=*microsoft.com*
| eval Office=if(len(Office) > 2, Office, "_INTERNET")
| lookup officeip.csv IP as "ExternalIP" output Office
| eval temp=split(Destination,"(") | stats count as total by Office InternalIP ExternalIP Destination temp | where (temp!="" and temp!="com" and temp!="net") | stats count as abnormal by Office InternalIP ExternalIP temp | sort -count | where count>1]
| append[ search source="s3://cgsumbrella/*" Action=Allowed
Destination!=192.168.9.20.
Destination!=*in-addr.arpa*
Destination!=*fp.measure.office.com*
Destination!=*sprint.com*
Destination!=*drift.com*
Destination!=*aoltw.net*
Destination!=*yahoo.com*
Destination!=*easyhost.com*
Destination!=*aol.com*
Destination!=*igodigital.com*
Destination!=*doubleclick.net*
Destination!=*cpesmsp.apsx*
Destination!=*microsoft.com*
| eval Office=if(len(Office) > 2, Office, "_INTERNET")
| lookup officeip.csv IP as "ExternalIP" output Office
| eval temp=split(Destination,")") | stats count as total by Office InternalIP ExternalIP Destination temp | where (temp!="" and temp!="com" and temp!="net") | stats count as abnormal by Office InternalIP ExternalIP temp | sort -count | where count>1]
... View more